What does perfect mean within perfect forward secrecy and why do some cryptographers disagree with the term?

Question

In this blog post, Matthew Green says

Forward secrecy (usually misnamed “perfect forward secrecy”)...

The Wikipedia article on forward secrecy (which the same sentence links to in the blog) says

forward secrecy (FS), also known as perfect forward secrecy (PFS)...

which implies that they are the same thing and nullifies Matthew Green's statement.

Apparently Professor Green's statement is simply a personal disagreement with the term perfect

I'd be interested in knowing how forward secrecy is/isn't 'perfect',(why cryptographers disagree with perfect) and why was the term was originally attached to forward secrecy?

They are same What is Perfect forward secrecy?. Do you know the meaning of misnamed? — kelalaka, Jul 05 '20 at 16:37
@kelalaka Yeah I do. Its just that lots of people use words like these ambiguously. So I couldn't really be sure if he disagreed with the terminology or he meant that people often used 'perfect forward secrecy' when they mean 'forward secrecy' because their was a subtle distinction between them that they weren't aware of. Thanks anyways. — , Jul 05 '20 at 16:47
I guess it is still interesting to know how the "perfect" part came into being. I disagree with it as well as it seems to indicate that the secrecy itself is perfect, which it obviously isn't. Both the DH scheme as the encryption itself can still be attacked. It's pretty far removed from a "perfect cipher" for sure. — Maarten Bodewes, Jul 05 '20 at 17:22
@MaartenBodewes I have edited the question as you recommended. Feel free to further edit and improve it if you think I haven't phrased it well or something — , Jul 05 '20 at 18:51
Wikipedia's articles first edit gave IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000. http://standards.ieee.org as the source of PFS is also known as forward secrecy. This may indicate FPS was earlier. I've no free access to this document... — kelalaka, Jul 05 '20 at 19:49
“Also known as” and “misnamed as” is no contradiction. — gnasher729, Dec 06 '21 at 07:12

score 1 · Answer 1 · answered Jul 10 '20 at 15:40

Forward secrecy of key-establishment (KE) protocol means, that compromising of long-term keys of parties doesn't affect secrecy of established keys in the past.

Example to clarify what PFS means. Say parties A and B have private keys $s_B$ and $s_B$. Today they run KE and establish a key $k_1$. They use this key during a session, and then destroy this key. During this session, attacker eavesdropped all the messages and remembers the transcript $T$ of the session. Obviously, $T$ includes messages of KE, and subsequent "data" messages, encrypted with key $k_1$. Tomorrow, attacker somehow gets keys $s_A$ and $s_B$, but not $k_1$ (because $k_1$ was destroyed and forgotten by $A$ and $B$). And here comes PFS property of KE: even having $T$, $s_A$ and $s_B$, attacker is unable to find $k_1$ and decrypt messages hidden in $T$.

Then answering your question, why in PFS word "perfect" is ambiguous. It's an opinion of M.Green obviously, but I will try to guess what he means. Actually I feel pretty the same regarding this term. "Perfect" is ambiguous here. E.g., we don't use "perfectly secure signature scheme", we just use "secure". Moreover, in cryptography word "perfect" appears sometimes in order to describe that some property (usually some sort of secrecy) is based not on computational assumptions, but it's perfect - i.e., unconditional and doesn't require any assumptions/hypotheses. Examples:

perfect zero-knowledge vs zero-knowledge (which could be just statistical or computational)
Perfect secrecy of encryption - term introduced by Shannon https://en.wikipedia.org/wiki/One-time_pad#Perfect_secrecy

So, in cryptography "perfect" is usually a synonym to https://en.wikipedia.org/wiki/Information-theoretic_security. But for some stupid reason - not in this case (in case of KE).

So, more clear would be to have a term "Forward Secrecy", and then, additional "Perfect" would mean that it doesn't require any assumptions and it's unconditional. But for some historic reason, in literature PFS is used for regular forward secrecy.

score 1 · Answer 2 · answered Jul 10 '20 at 17:25

Why was the term (perfect) originally attached to forward secrecy

No reason is given by Christoph G. Günther in An Identity-Based Key-Exchange Protocol (in proceedings of Eurocrypt 1989), which is the earliest use on record and claims the notion:

This modification restores a property of the Diffie-Hellman scheme, which we could call perfect forward secrecy. If Alice and Bob are not impersonated, when the protocol is run, finding the key $\zeta$ is as difficult as breaking the Diffie-Hellman scheme for every third party.

At least, it is clear that perfect does not mean that even a computationally unbounded adversary can't break the scheme.

So my opinion is that perfect is there because it sounds good, and makes a Three Letter Acronym that caught.

score 0 · Answer 3 · answered Jul 06 '20 at 02:08

The blog post by Matthew Green is an Op-Ed (Opinion Editorial) and is his opinion based on facts.

Further in the paragraph, Green says, "Many online messaging systems like off-the-record messaging use PFS by default, essentially deriving a new key with each message volley sent."

Green clearly identified forward secrecy as PFS (Private Forward Secrecy) the same as the wiki post, regardless of his opinion that FS is "misnamed" as PFS.

Both articles are saying the same thing and Green used an example of PFS. Also, my college says to never cite wiki as a reliable source (Research further, read the footnote sources).

I hope this helps.

What does perfect mean within perfect forward secrecy and why do some cryptographers disagree with the term?

3 Answers3